CVE-2024-22168

EUVD-2024-19764

24.06.2024, 23:15

A Cross-Site Scripting (XSS) vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user’s browser session to carry out malicious activities.The web apps for these devices have been automatically updated to resolve this vulnerability and improve the security of your devices and data.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 49%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
western_digital	my_cloud_home_web_app	𝑥 < 4.28.0-102	ADP
sandisk	ibi_web_app	𝑥 < 4.28.0-102	ADP
western_digital	wd_cloud_web_app	𝑥 < 4.28.0-102	ADP
western_digital	my_cloud_web_app	𝑥 < 4.28.0-102	ADP

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://www.westerndigital.com/support/product-security/wdc-24003-western-digital-my-cloud-os-5-my-cloud-home-sandisk-ibi-and-wd-cloud-web-app-update